BookStack v22.02.3

Security Release

• Update Instructions
• Update details on blog

This is a security release that adds better protections against embedded content that could be used in malicious ways. This effectively restricts embedded iframe content in an allow-list approach.

A new ALLOWED_IFRAME_SOURCES option has been added to provide configuration of allowed embed/iframe sources within BookStack pages, and this defaults to a couple of popular services such as YouTube and Vimeo.

Please see this link for more detail regarding this option:

• https://www.bookstackapp.com/docs/admin/security/#iframe-src-control
  • ("Iframe Source Control" section)

It's advised to upgrade as soon as possible if untrusted users can create or update pages within your BookStack instance.

Thanks to @416e6e61 (Anna) for discovering and reporting this vulnerability via huntr.dev.

Full List of Changes

• Added iframe allow-list control to prevent a range of malicious uses of untrusted iframe sources. (#3314)
• Updated translations with latest Crowdin changes. (#3312)

BookStack v22.02.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added cache breaker to WYSIWYG onward loading to prevent plugin errors appearing if cached. (#3303)
• Updated translations with latest Crowdin changes. (#3301)
• Updated sidebar fade to be more subtle when in dark mode. (#3203)
• Fixed WYISWYG editor issue where blank lines would collapse. (#3302)

BookStack v22.02.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated editor references to avoid caching issue that would prevent WYSIWYG editor from opening. (#3293)
• Updated code blocks within the editor to be more reliable, especially on first insertion. (#3292)
• Updated translations with latest changes from Crowdin. (#3291)

BookStack v22.02

Links

• Update instructions
• Update details on blog

Upgrade Notices

• PHP Requirements Change - The minimum required version of PHP has changed from 7.3 to 7.4.

Full List of Changes

• Added collapsible content blocks support to the WYSIWYG editor. (#78, #3260)
• Added translation support to the WYSIWYG editor. (#1838)
• Added user management API endpoints. (#3238, #1363, #2701)
• Changed minimum PHP version from 7.3 to 7.4. (#3245, #3152)
• Updated translations with latest Crowdin changes. (#3258, #3251, #3259)
• Updated Korean translations. Thanks to @ististyle. (#3256)
• Updated TinyMCE WYSIWYG editor to the latest version. (#3247)
• Improved PDF export rendering of images within tables. (#3190)
• Fixed potential web console error message when loading the editor. (#2461)
• Fixed issue where OIDC token failures would not be shown to the user. (#3264)
• Fixed issue where the editor could jump-scroll to the top after format change on FireFox (#2692)

BookStack v21.12.5

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added text for "file" validation messages to provide better responses in Attachment API validation failures. (#3248)
• Fixed WYSIWYG editor code block creation across mulitple lines and block elements. Thanks to @Julesdevops. (#3246, #3200)
• Fixed markdown image data URI extraction failing on large images due to regex match limits. (#3249)
• Updated translations with latest Crowdin changes. (#3225)

BookStack v21.12.4

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added --external-auth-id option to the bookstack:create-admin command for use with LDAP/SAML2/OIDC instances. (#3222)
• Added the ability select preferred language when creating a new user. (#2408, #2576)
• Added configuration option for PDF export page size. (#995)
• Updated 503 error view to simplify and prevent thrown errors. Thanks to @Julesdevops. (#3210, #3205)
• Updated translations with latest Crowdin changes. (#3214)
• Fixed mis-represented default registration role and allowed disabling of this option. (#3220, #2338)
• Fixed OIDC autodiscovery when keys are provided in a certain format, as provided by Azure. (#3206)
• Development change: The default development branch name is now development instead of master. (#3195)

BookStack v21.12.3

Links

• Update instructions

Upgrade Notices

• Composer Version Requirement Change - Composer v2.0 or greater is now required to install or update BookStack.
  • You can check your composer version by running composer -V.
  • You can often update composer by running sudo composer self-update
    • (Or you may be prompted to run sudo composer self-update --2).
  • If you're using a system-supplied composer package you may need to first uninstall that (eg. sudo apt remove composer) then follow the composer download documentation to get the latest version.
    • Take notice of the sudo mv composer.phar /usr/local/bin/composer command shown in the documentation to install composer globally for easier usage.

Full List of Changes

This release contains the following fixes and changes:

• Updated development docker environment with xdebug support. Thanks to @Julesdevops. (#3193)
• Updated user creation flow to not persist the user on invitation sending failure. Thanks to @Julesdevops. (#3179, #3174)
• Updated "Recently Updated Pages" view to show update author and date. Thanks to @Julesdevops. (#3177, #3045)
• Updated translations with latest Crowdin changes. (#3158)
• Updated PDF page export image display to help fix image sizing issues again. (#3120)
• Updated "Recently Updated Pages" view to show parent context chain. (#3183)
• Fixed potential errors in revision diff view when multi-byte characters are used. (#3170)
• Fixed duplicate display in image gallery when uploading multiple images at once. (#3160)
• Fixed inaccurate markdown editor cursor position upon sidebar usage. (#3186)

BookStack v21.12.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Improved handling of uploaded images when thumbnails fail to load. (#3142)
• Updated translations with latest Crowdin changes. (#3148)
• Fixed issue where webhooks would error for specific recycle bin operations. (#3154)
• Fixed Spanish invite email subject translation. Thanks to @AitorMatxi. (#3153)
• Fixed issue where custom homepage could cause strange deletion behavior and lead to errors. (#3150)

BookStack v21.12.1

Security Release

• Update Instructions
• Update details on blog

BookStack v21.12.1 has been released.
This is a security release that better enforces permissions on book-sort & chapter-move operations to address scenarios where content could be moved to non-permissible locations.

It's advised to upgrade as soon as possible if untrusted users can update books or chapters in your BookStack instance.

Thanks again to @Haxatron for discovering and reporting this vulnerability via huntr.dev.

Full List of Changes

• Added timeout and debugging statuses to webhooks. (#3139)
• Added new webhook_call_before logical theme system event hook. (#3138)
• Updated support for APNG images to retain animation. (#3136)
• Updated book sort and chapter move handling to enforce more permissions. (#3134)
• Updated item-search/select box to autofocus on search field. (#3127)
• Updated webhooks to not stop application on endpoint call failure. (#3122)
• Updated translations with latest Crowdin changes. (#3117)
• Fixed webhooks list view issue where columns would become to narrow. (#3135)
• Fixed linked images showing small in PDF export. (#3120)
• Fixed issue where pasting certain code blocks would cause erratic editor behavior. (#3133)

BookStack v21.12

Links

• Update instructions
• Update details on blog

Full List of Changes

• Added webhooks. (#147, #3099)
• Added ability to copy books, chapters & roles. (#3118, #1123)
• Added audit log IP address search. Thanks to @johnroyer. (#3081)
• Updated translations with latest Crowdin changes. (#3117)
• Fixed issue where non-ascii content could break search result previews. Thanks to @Kristian-Krastev. (#3113)
• Fixed mismatched password validation rules across the application. (#2237)